Rex field to Pick the value as column and duration value as Row against them. refer the below.
Date And Time | Siline | PrimaryAddress | SearchInServicing | NavExistingAddresses |
2/11/1982 1:25 | 1.132 | 1.375 | 1.149 | 1.885 |
XML format
<Transaction Name="Naviline" Time="02/11/1982 01:25:07:223" Duration="9.034" />
<Transaction Name="SePipeline" Time="02/11/1982 01:25:07:899" Duration="0.662" />
<Transaction Name="NdwIncuse" Time="02/11/1982 01:25:09:553" Duration="1.614" />
<Transaction Name="EnterDetails" Time="02/11/1982 01:25:11:532" Duration="1.916" />
<Transaction Name="SIline" Time="02/11/1982 01:25:12:703" Duration="1.132" />
<Transaction Name="GetWindowIn" Time="02/11/1982 01:25:20:748" Duration="7.957" />
<Transaction Name="PrimaryAddress" Time="02/11/1982 01:25:22:154" Duration="1.375" />
<Transaction Name="WindowingTouch" Time="02/11/1982 01:25:51:674" Duration="1.365" />
<Transaction Name="dailysearch" Time="02/11/1982 01:26:01:908" Duration="10.141" />
<Transaction Name="SearchInServicing" Time="02/11/1982 01:26:03:115" Duration="1.149" />
<Transaction Name="NavExistingAddresses" Time="02/11/1982 01:26:05:060" Duration="1.885" />
This is because the transactions have different times - how do you want to group the transactions - by hour? by date? by event (ignoring the datetime)?
| rex "Name=\"(?<name>[^\"]+)\"\sTime=\"(?<time>[^\"]+)\"\sDuration=\"(?<duration>[^\"]+)\""
| eval time=strptime(time,"%d/%m/%Y %H:%M")
| eval {name}=duration
| stats values(*) as * by time
| fieldformat time=strftime(time,"%d/%m/%Y %H:%M")
Here is a runanywhere example showing it working (the part before the blank lines sets up sample data in line with your example) - if your events are different in some way, perhaps you can share them
| makeresults
| eval _raw="<Transaction Name=\"Naviline\" Time=\"02/11/1982 01:25:07:223\" Duration=\"9.034\" />
<Transaction Name=\"SePipeline\" Time=\"02/11/1982 01:25:07:899\" Duration=\"0.662\" />
<Transaction Name=\"NdwIncuse\" Time=\"02/11/1982 01:25:09:553\" Duration=\"1.614\" />
<Transaction Name=\"EnterDetails\" Time=\"02/11/1982 01:25:11:532\" Duration=\"1.916\" />
<Transaction Name=\"SIline\" Time=\"02/11/1982 01:25:12:703\" Duration=\"1.132\" />
<Transaction Name=\"GetWindowIn\" Time=\"02/11/1982 01:25:20:748\" Duration=\"7.957\" />
<Transaction Name=\"PrimaryAddress\" Time=\"02/11/1982 01:25:22:154\" Duration=\"1.375\" />
<Transaction Name=\"WindowingTouch\" Time=\"02/11/1982 01:25:51:674\" Duration=\"1.365\" />
<Transaction Name=\"dailysearch\" Time=\"02/11/1982 01:26:01:908\" Duration=\"10.141\" />
<Transaction Name=\"SearchInServicing\" Time=\"02/11/1982 01:26:03:115\" Duration=\"1.149\" />
<Transaction Name=\"NavExistingAddresses\" Time=\"02/11/1982 01:26:05:060\" Duration=\"1.885\" />"
| multikv noheader=t
| table _raw
| rex "Name=\"(?<name>[^\"]+)\"\sTime=\"(?<time>[^\"]+)\"\sDuration=\"(?<duration>[^\"]+)\""
| eval time=strptime(time,"%d/%m/%Y %H:%M")
| eval {name}=duration
| fields - name duration
| stats values(*) as * by time
| fieldformat time=strftime(time,"%d/%m/%Y %H:%M")
| table time SIline PrimaryAddress SearchInServicing NavExistingAddresses
when I run the whole command including raw, it worked for me as well.
but when I run only these commands , it gives me header detail but not any value again them except dates column refer below screenshot
| rex "Name=\"(?<name>[^\"]+)\"\sTime=\"(?<Date>[^\"]+)\"\sDuration=\"(?<duration>[^\"]+)\""
| eval Time=strptime(Date, "%d/%m/%Y %H:%M")
| eval {name}='duration'
| fields - name duration
| stats values(*) as * by Date
| fieldformat Time=strftime(Date, "%d/%m/%Y")
| table time SIline PrimaryAddress SearchInServicing NavExistingAddresses
please refer the attached actual data available in splunk.
It always helps to have a more complete picture! Try this
| makeresults
| eval _raw="<PerformanceReport>
<SearchCustomer>
<Transaction Name=\"Naviline\" Time=\"02/11/1982 01:25:07:223\" Duration=\"9.034\" />
<Transaction Name=\"SePipeline\" Time=\"02/11/1982 01:25:07:899\" Duration=\"0.662\" />
<Transaction Name=\"NdwIncuse\" Time=\"02/11/1982 01:25:09:553\" Duration=\"1.614\" />
<Transaction Name=\"EnterDetails\" Time=\"02/11/1982 01:25:11:532\" Duration=\"1.916\" />
<Transaction Name=\"SIline\" Time=\"02/11/1982 01:25:12:703\" Duration=\"1.132\" />
<Transaction Name=\"GetWindowIn\" Time=\"02/11/1982 01:25:20:748\" Duration=\"7.957\" />
<Transaction Name=\"PrimaryAddress\" Time=\"02/11/1982 01:25:22:154\" Duration=\"1.375\" />
<Transaction Name=\"WindowingTouch\" Time=\"02/11/1982 01:25:51:674\" Duration=\"1.365\" />
<Transaction Name=\"dailysearch\" Time=\"02/11/1982 01:26:01:908\" Duration=\"10.141\" />
<Transaction Name=\"SearchInServicing\" Time=\"02/11/1982 01:26:03:115\" Duration=\"1.149\" />
<Transaction Name=\"NavExistingAddresses\" Time=\"02/11/1982 01:26:05:060\" Duration=\"1.885\" />
</PerformanceReport>
</SearchCustomer>"
| rex max_match=0 "\<Transaction (?<transaction>.*)\s\/\>"
| mvexpand transaction
| rex field=transaction "Name=\"(?<name>[^\"]+)\"\sTime=\"(?<time>[^\"]+)\"\sDuration=\"(?<duration>[^\"]+)\""
| eval time=strptime(time,"%d/%m/%Y %H:%M")
| eval {name}=duration
| fields - name duration
| stats values(*) as * by time
| fieldformat time=strftime(time,"%d/%m/%Y %H:%M")
| table time SIline PrimaryAddress SearchInServicing NavExistingAddresses
like i said earlier your whole query worked properly but when i run only the below code it's not giving me any output.
refer below screenshot.
Try the lines adding one at a time to see at which point you lose the events
when I removed below line from the code i'm getting the header detail but no value against them except the date column. also changed time to Date in the code (refer the attachment)
stats values(*) as * by time
index=XXXXX
| rex "Name=\"(?<name>[^\"]+)\"\sTime=\"(?<Date>[^\"]+)\"\sDuration=\"(?<duration>[^\"]+)\""
| eval time=strptime(Date, "%d/%m/%Y")
| eval {name}=duration
| fields - name duration
| fieldformat time=strftime(Date, "%d/%m/%Y")
| table time SIline PrimaryAddress SearchInServicing NavExistingAddresses
You don't appear to have included these lines from my example
| rex max_match=0 "\<Transaction (?<transaction>.*)\s\/\>" | mvexpand transaction
it's pulling data but it's scattered the values in multiple row. probably it's bez of
mvexpand transaction
if we can ignore the seconds from the date that would be great.
What is the current SPL you are using?
the one you shared
| rex max_match=0 "\<Transaction (?<transaction>.*)\s\/\>" | mvexpand transaction | rex field=transaction "Name=\"(?<name>[^\"]+)\"\sTime=\"(?<time>[^\"]+)\"\sDuration=\"(?<duration>[^\"]+)\"" | eval time=strptime(time,"%d/%m/%Y %H:%M") | eval {name}=duration | fields - name duration | stats values(*) as * by time | fieldformat time=strftime(time,"%d/%m/%Y %H:%M") | table time SIline PrimaryAddress SearchInServicing NavExistingAddresses
it's coming like this way not remove second and furthers too
which I changed the time to Date.
Your Date has seconds in whereas my time does not - if you are not prepared to show exactly what you are doing, how do you expect me to be able to find the error?
If you are using the search I shared, where is the Date field coming from? Can you share the actual search you are using to get these results?
This is because the transactions have different times - how do you want to group the transactions - by hour? by date? by event (ignoring the datetime)?
by date so that it should be display in one line.
| eval time=strptime(time,"%d/%m/%Y")